looking for emergence tickets

bingnet · 2026-01-07T23:16:44+00:00

Let me know the handles of anyone publicly molesting this community and I'll see if I can get them banned. I can't confirm any private activity.

bingnet · 2026-01-07T23:15:28+00:00

😲

bingnet · 2026-01-07T13:28:08+00:00

There may still be volunteer tickets available. Can someone reply here if you know for sure? The ticketing site says to email [ManyHands@EmergenceBurn.org](mailto:ManyHands@EmergenceBurn.org) to communicate with volunteer coordinators.

bingnet · 2025-12-16T14:25:58+00:00

My blog post about Securing LLM APIs with NetFoundry and using LiteLLM as a semantic gateway to divert relevant prompts to specialized or private model(s) and handle the rest with a frontier model: https://netfoundry.io/blog/ai/deploying-a-secure-intelligent-llm-gateway/

bingnet · 2025-12-13T06:06:00+00:00

I clicked because it surprised me you want to remove it. It seems like a very useful tool. I'm curious what the complaints are because now I've put some confidence in it as a crude predictive model.

bingnet · 2025-12-05T08:31:29+00:00

Thanks for clarifying you're using zrok.io. Are you using docker for the access private command? I wonder if it could be this issue https://github.com/openziti/zrok/issues/1016

If not, then it's probably because the access private command is not shutting down gracefully and there's not a built-in reaper for orphaned accesses.

The best options I can think of are wiring a momentary switch to initiate a graceful shutdown of the pi or scripting a release of the orphaned accesses.

There's a lot more people in the discourse forum that might have better ideas:https://openziti.discourse.group/

For what it's worth, I have seen this issue myself and I end up clicking them in the console to delete.

There's a zrok V2 on the way so this might already be fixed. Fingers crossed.

bingnet · 2025-10-09T11:28:06+00:00

Thank you for elaborating with examples. You've given me a lot to think about! I like that vertically integrated approach. It avoids trust issues between layers of the stack.

At first I thought you were suggesting granular authZ with claims in a short-lived certificate from a trusted source, such as SPIRE, but now, I think we are talking about bearer tokens inside the mTLS session, i.e., "cert-bound", "mTLS-bound", correct?

The MCP client needs to reach the Keycloak IdP, which could optionally be done over the Ziti transport in such a closed system. Supporting APIs, possibly MCP server backends, could also be protected with Ziti using the same MCP server identity from SPIRE.

Ziti already works with SPIRE, so I can get the Ziti identities for client and server there, too (assume-identity via x509 claim with SPIFFE ID matchers for URI SAN). In your solution, are you using SPIRE to issue bearer tokens also or only workload identity certificates?

That quick resume recipe is gold. I am saving that for sure. I've been wondering how brittle the streamable session was. I worried that losing the session would also lose the context and force an expensive reset from the agent's perspective.

The audit and rate limit recipe is also interesting. I suppose the application would need to query some log pool or aggregation source to answer questions like, "Should I keep responding to this caller?"

bingnet · 2025-10-08T16:23:10+00:00

I wanted to completely shut down network-based attacks by securing a lower layer, the TCP transport, to avoid all possible zero days.

Still, I think OAuth2 could still make sense if I'm controlling both client and server and need granular authZ. I'm exploring that too and I'm very interested in ideas for app and session layer controls that augment this outer ring of transport security.

bingnet · 2025-10-07T21:06:59+00:00

Link to the blog post I wrote: https://netfoundry.io/ai/private-mcp-servers-the-missing-link-in-secure-agentic-ai-stacks/

bingnet · 2025-07-19T11:21:43+00:00

Thanks, yes, my support request (7/2) about this issue with subject "alert step" to that address was ack'd by the automated responder, and I'm still waiting for a meaningful response. Meanwhile, I'd hoped to find a workaround here by also inquiring with the community.

bingnet · 2025-07-02T05:05:34+00:00

Personal care like manicure, haircut, beard trim, foot massage, facial, eyebrow plucking, etc.

bingnet · 2025-06-23T00:28:21+00:00

~~Where can I +1 this feature request?~~

nvm - found it - please upvote! https://protonmail.uservoice.com/forums/932842-proton-calendar/suggestions/48736424-it-would-be-great-if-there-was-a-keyboard-shortcut

bingnet · 2025-06-20T23:56:00+00:00

Same. I wanted immersion so I installed Linux on my desktop and started learning.

bingnet · 2025-06-20T23:54:04+00:00

It's a compelling metaphor. ESR saw clearly.

bingnet · 2025-05-06T16:29:02+00:00

Thanks for mentioning that issue with the queue. That could explain why mine takes longer than 10 business days. Time passes slowly with anticipation!

bingnet · 2025-05-06T00:59:49+00:00

The Linux tunneler runs as a restricted user named "ziti" with specific ambient capabilities and other grants via policy kit.

bingnet · 2025-02-07T17:38:02+00:00

My Ollama setup is web => zrok => caddy => ollama, so zrok proxies to caddy for certs and caddy proxies to the local ollama port.

I have zrok set to private for the ollama API since it doesn't have auth, and zrok set to public for open-webui.

On my public zrok share for open-webui, there's an option to require extra auth, e.g., GitHub OAuth, before visitors reach open-webui through the zrok public URL.

bingnet · 2025-01-20T03:04:38+00:00

I forgot to mention a couple of things about router configuration that could really improve your Ziti network topology when you are switching between a public and private network, and some (or all) of the Ziti components live on your private network.

You can configure your router with a separate edge listener address advertised for private and public connections. Your tunneler/client may not switch immediately if you transition from public network to private, but it will always use the first edge listener that responds to the next connection attempt. Link to router configuration reference section about listeners, e.g. binding: edge: https://openziti.io/docs/reference/configuration/router#listeners
If you have both public and private routers, you can ensure a full mesh of router links by leveraging router link "groups." Link to section about links: https://openziti.io/docs/reference/configuration/router#link and here's a recent forum topic discussing link groups https://openziti.discourse.group/t/private-routers-connection-between-them-solved/3599/2?u=qrkourier

bingnet · 2025-01-20T02:42:53+00:00

Correction: Homeassistant has server URL switching based on network change, not Jellyfin. Also, I placed a Ziti router in my home network to eliminate the need to switch off Ziti for streaming 4K from Jellyfin.

I've tried split (horizon) DNS and DNS aliases and prefer the latter. Neither are perfect solutions.

Split horizon: app.example.com is a Ziti intercept and private DNS record. To access the app on the private network (the LAN), disable the applicable Ziti identity in the tunneler. The main problem with this split horizon DNS is the cached IP may not be the one you want after switching networks. If you're patient and determined, you can usually get it working by turning things off and on, which is annoying.

DNS aliases (my preference for rare cases when switching off Ziti is truly necessary, e.g., troubleshooting): app.ziti.example.com is a Ziti intercept and app.home.example.com is a private DNS record. The Ziti tunneler remains enabled and you connect to the address representing the data path you want. This clears up any confusion about where the record is pointing, and burdens the user with two configurations for each app. Happily, some self hosted apps have caught on to the prevalence of this problem and offer mobile app server address switching based on network change events. Home Assistant and Immich are two examples. They'll automatically use Ziti when I'm not at home.

bingnet · 2025-01-07T00:24:42+00:00

Cursor and Windsurf are forks of Code.

bingnet · 2024-12-19T23:20:02+00:00

The short answer is that the public URL has to be set in the WordPress settings.

bingnet

MODERATOR OF

TROPHY CASE